What is an SPF record?

SPF is an email authentication record that lists approved hostnames, domains and IP addresses for a given domain. They can also contain a set range of IPs allowing anyone within the window to send from the domain.

The receiving server checks for an SPF record whenever an approved user sends an email. If it finds one, and the sender’s IP address is on the list, it passes the check and is more likely to land inside the inbox. Content factors will still play a role in determining whether or not you reach the inbox or the spam folder.

When the SPF record does not contain the address, it follows the instructions in the DMARC file if one is present. The message can end up in the spam folder or the email service can reject it entirely.

This simultaneously protects both your domain and the recipient. It becomes more difficult for spammers to abuse your domain, while the latter can reliably receive legitimate emails from your team.

Why domains require SPF record protection

To protect your brand’s email deliverability and reputation, you must know which addresses are sending messages on your behalf.

Using our SPF generator, you can create a list of approved hostnames, domains, and IP addresses that may utilize your domain name. This will help prevent spoofing.

Without this protection, you’re vulnerable to spoofers looking to exploit vulnerabilities in your network. Hackers often spoof domains to support phishing attacks which seize sensitive data from customers and leads. They can easily create from addresses that appear legitimate but issue harmful content to recipients.

These attacks give way to spam and abuse reports against your domain. This damages your reputation among your email list and email service providers (ESPs). The consequences range from bounce rate increases to blacklistings.

Creating a record using the SPF generator

ZeroBounce can help you prevent spoofing by creating your own records for email authentication. Follow these steps to generate your SPF record in just a few minutes.

1. Enter your domain name in the field provided. This is what follows the @ symbol in a given address.
   
   username@domain_name.top_level_domain
2. For “Does the domain send mail,” switch the toggle to yes or no.
   
   You should create an SPF record for all your domains even if you are not using them to send messages. Spammers often target these and use them in phishing scams.
   
   Adding an SPF record to these domains can alert ESPs of illegitimate email activity.
3. Though we generally associate MX records with inbound mail, you may also configure it to have an active outbound mail server.
   
   If your MX record deals with outbound mail, switch this toggle to yes. This will update your DNS with information about the IPs we will use to initiate the outbound email connections.
4. The next toggle refers to the PTR mechanism. PTR abbreviates “pointer” as in DNS Pointer Record.
   
   Typically, servers verify emails using an A record to identify the sender’s IP address. If your IP matches one on the SPF record, you pass.
   
   PTR is the inverse of the normal process. It will use the IP address to find the associated email domain. Switching the toggle to yes allows you to utilize PTR instead of the standard procedure.
   
   PTR generally acts far slower. The validation process may time out, leading to more undelivered emails. Therefore, we do not recommend using PTR.
5. The next toggle allows you to determine if there are additional email servers you wish to add to this record.
   
   Switching the toggle to “Yes” opens five additional fields. In these you can include:
   
   A records
   MX-records
   IPV4 addresses
   IPV6 addresses
   
   Note: If you need to add additional records, click the green + symbol to the right of the respective field.
6. Finally, select the action you want to occur if a sender fails your new SPF check.
   
   Fail tells the service to reject the email.
   
   Soft fail allows the service to deliver the email. However, the message is more likely to go to the spam folder.
   
   Neutral will not define the failed IP address. Instead, you can defer to the mechanisms within your DMARC record (if one exists) to determine a pass or fail.

After inputting your choices, your newly-generated SPF record appears below. There are three options available for use which we will now further define.

SPF record using DMARC and DKIM

Taking advantage of our free SPF generator is a vital first step. Your new SPF record will assist with email authentication and deter many would-be spammers.

However, it can further protect your email deliverability when you use it alongside additional sophisticated email security features such as DMARC (Domain-Based Message Authentication, Reporting, and Conformance) and DKIM (DomainKeys Identified Mail).

The reasoning for this is due to the limitations of SPF records. To better explain this, let’s look at how the process works.

An email message contains two addresses. One is the email server's return path to cross-reference with the SPF record. If it finds the address within the SPF record, it will approve the check and deliver it to the inbox. However, this return address is not visible to the recipient.

This allows spammers to spoof the invisible return address while presenting a legitimate domain name in the email’s “from” section. They can achieve this by exploiting loopholes in your listed IP range or seizing outdated addresses on your domain that are no longer in use.

Using your SPF record with DKIM and DMARC security records adds a necessary security layer to prevent spoofing. This mode of email authentication will help protect your domain from unauthorized users if your SPF record check fails.

These three records work together to create a highly-personalized email signature for everyone that utilizes your email domain.

Other email authentication tools

Deliverability ToolsDKIM GeneratorDMARC GeneratorSPF Generator